Please Scroll Down to See Forums Below
napsgear
genezapharmateuticals
domestic-supply
puritysourcelabs
UGL OZ
UGFREAK
napsgeargenezapharmateuticals domestic-supplypuritysourcelabsUGL OZUGFREAK

MS Blaster (aka W32/Lovsan)

Y_lifter

Y_lifter

New member
Our Corporation is getting really hit hard with this one.

We have great Virus teams, but when I see them shutting off corporate WAN
VPN access for hours and actually shutting off entire facilities from the corporate WAN,
I know it's hitting us hard.

Anyone else getting hit hard by this one ?
 
We have approx 130,000 emp, 150 larger sized facilities World wide, and hundreds of ways in.

We battled back all previous attacks, but this one is actually
slowing down the networks so you notice it..

They are thinking Asia for this ones origin. As usual
 
I figured your IT guys would keep better tabs on the patches that are needed for the MS trash to stay safe.
 
XBiker said:
I figured your IT guys would keep better tabs on the patches that are needed for the MS trash to stay safe.
Click to expand...

They are 110% on top of it on the boxs they can control.

The issue is people working remotely via VPN and smaller sites with maybe 4-5 people and a server connecting and re-infecting or SAPing the network...

Latest word is a new variant just arrived that uses SMTP to
slow the EMAIL networks to a crawl..
 
ICMP packets temp. blocked on all the border routers.

VPN coming back on with scanning for new connections, and if you
are infected, you get booted and the VPN account locked out
 
I used to have to deal with remote users via dial in and VPN.

If they didn't patch their stuff and reply that it was done, they got locked outta everything...

Dial up, VPN, domain, email, and even their cars.

:D
 
Y_Lifter said:


They are 110% on top of it on the boxs they can control.

The issue is people working remotely via VPN and smaller sites with maybe 4-5 people and a server connecting and re-infecting or SAPing the network...

Latest word is a new variant just arrived that uses SMTP to
slow the EMAIL networks to a crawl..
Click to expand...

My DSL at home was crawling, last night. I was wondering if it was leftover remnants of the virus or Verizon being the only high speed provider that can't get their shit together after the blackout. Any thoughts?

Our T1 at work is still fucked because Verizon isn't on top of things?
 
We got hit really bad. I spent the last two days running around like a chicken without my head. It has not been pleasant. Everything seems to be quieting down today.
 
flexygrl said:
We got hit really bad. I spent the last two days running around like a chicken without my head. It has not been pleasant. Everything seems to be quieting down today.
Click to expand...

You're in the IT bidniss?
 
Actually....I am not making as much as I am worth. I am always on the look out. I have it really good here, though. Great benefits, awesome vacation days, unlimited sick, free education. I love the people here. I have really grown a lot in 2 years.

Cute I.T. girls aren't rare anymore. There is a new breed of us now. We believe that customer support is top priority. Ever notice that most customer support people are cute? Well a lot of those girls are getting into I.T. now. The nerds with the attitudes are being pushed out, because girls like me can do their job better, more efficiently and with a smile.
 
flexygrl said:
Actually....I am not making as much as I am worth. I am always on the look out. I have it really good here, though. Great benefits, awesome vacation days, unlimited sick, free education. I love the people here. I have really grown a lot in 2 years.

Cute I.T. girls aren't rare anymore. There is a new breed of us now. We believe that customer support is top priority. Ever notice that most customer support people are cute? Well a lot of those girls are getting into I.T. now. The nerds with the attitudes are being pushed out, because girls like me can do their job better, more efficiently and with a smile.
Click to expand...

Interesting you mention customer service. My motto for my IT dept is "It *is* customer service" I make 'em do follow-up on issues and actually be nice instead of surly and righteous.

SAIC is great pay, good benefits, but way more stress than most IT shops.
 
We are small, so it was easy to get patches in everything.

But the first few few weeks that MS was aware of it, they never mentioned NT was open. Then I went back and looked yesterday and saw that NT is now also part of it (only via e-mail I guess, but not via the port spreading), so I had to patch a few more machines.

We have a fairly strict firewall up, so we never really had any issues.

We have far more issues with our MS servers crashing for other unknown reasons - but not this issue.

We also have a problem with some spam bots and spam viruses spreading with our fucking domain in them, so they we get on some RBLs - that is annoying like you wouldn't know.
 
Well, if they are hiring in NY, let me know. I am not afraid of a challenge. I have taken on job duties here that are far from my job description.

I am a stickler about keeping people happy. They all have my direct line here. Most people call me directly rather than going through the help desk first. I always tell people that I have been where they are. I know what it's like to not know something. I always tell my users that they should never, ever be afraid to ask me a question.

I love working in I.T. It's the greatest feeling to walk into a room and get ambushed for your knowledge. I just love it!!!
 
flexygrl said:
Well, if they are hiring in NY, let me know. I am not afraid of a challenge. I have taken on job duties here that are far from my job description.

I am a stickler about keeping people happy. They all have my direct line here. Most people call me directly rather than going through the help desk first. I always tell people that I have been where they are. I know what it's like to not know something. I always tell my users that they should never, ever be afraid to ask me a question.

I love working in I.T. It's the greatest feeling to walk into a room and get ambushed for your knowledge. I just love it!!!
Click to expand...

Nope, nothing in NY.
I got req's open for San Diego, Utah and DC.
 
flexygrl said:

I am a stickler about keeping people happy.
Click to expand...

That is like the anti-me.

If I have to sit there next to the person, then I'm gonna keep them happy.

But if I'm sitting at my desk and bored, sometimes I'll just restart the servers or turn off services just to hear people whine.
But then I look cool when I "fix" it all so quickly. :D
 
I switched my proxy to Denver due to the issues here on our network locally.

I would say anyone reporting slow network conectivity is either using Verizon, or being effected by the Saping..
 
All you have to do is shut down a few incoming ports on your firewall, I believe actually only port 135 and you will keep that virus out. Sounds some some of you have slack ass network admins.

Im not even officially an IT guy.. yet I play the roll at my small firm.
 
SV2 said:
All you have to do is shut down a few incoming ports on your firewall, I believe actually only port 135 and you will keep that virus out. Sounds some some of you have slack ass network admins.

Im not even officially an IT guy.. yet I play the roll at my small firm.
Click to expand...

135, 445, and 4444 - but 4444 is the one is spreads out of if I recall, so that is less of an issue to prevent getting it, but more to prevent spreading from there.

there is another one on UDP as well, but I am not all that sure.

I've only handled three systems with it, and none of those were on our network, they were laptops that people brought in for me to fix.

Most of the time when people think they have it, it is really that the worm is trying to get them and it occupies the system.

If you have XP, try activating the software firewall that is built in and it is better than nothing.
 
SV2 said:
All you have to do is shut down a few incoming ports on your firewall, I believe actually only port 135 and you will keep that virus out. Sounds some some of you have slack ass network admins.

Im not even officially an IT guy.. yet I play the roll at my small firm.
Click to expand...

Thanks, I'll forward that to Cisco..
 
There are a few varients (variants? I can't spell) out there that are on other ports.

There are also spoof e-mails from MS that claim to be fixes that really put the worm/virus on your system.

On a small network, depending on what you are/aren't doing, a hardware firewall that disallows anything coming in on its own is an easy short term fix.

Y_Lifter's large company is likely running into issues with local applications that actually need RPC (remote procedure calls) and those getting shut out.
 
Well, Im not CCNA or a CCNP and I managed to keep the virus out with a $500 hardware firewall...

I do have a BRAIN though, that seems to help in these situations.

There are too few reasons ever to keep inbound ports open in your firewall, and when you do, you are only asking for trouble.
 
LOL.. dude W32/Sobig-F is a varient of the original Sobig which has been around since early this year, I think that goes back to January.... hardly news worthy...

If you have updated your definitions at least once since Janurary sobig-f will be kicked out at your email server, assuming you scan on your email server... if not, I suggest you start.
 
Doesn't matter if the virus scanner finds SoBig when you still have everyone contacting you telling you that the virus scanner found something.

We have a layered system of virus control and I've had about 67 calls, e-mails, and physical contacts today from people getting hit by the SoBig shit. They get notification from a few places that they were just saved from a virus and they get all freaked and try to find me.

I would be thrilled if they were never told anything about it...

on the good side, they are all so paranoid of being the person to spread a virus that they are really good about not opening anything that ever does get through.
 
Why dont you guys scan the emails at the server before you push them out to the client machines?? The goal is to keep the virus off the desktops.. never trust end users not to do stupid things like open a virus... dont forget, it's your job if the person fucks up, not the end users.
 
SV2 said:
Why dont you guys scan the emails at the server before you push them out to the client machines?? The goal is to keep the virus off the desktops.. never trust end users not to do stupid things like open a virus... dont forget, it's your job if the person fucks up, not the end users.
Click to expand...

We scan them on the servers that provide our net connection, we scan them on our mail server, we scan the network at the firewall, we scan the network over the fileservers, and we scan on individual machines.

We aren't retarded.

That said, the scanning is only as good as the updates. We have had problems with that in the past.
 
what you can't schedule a task to pull new definitions daily?? seems simple to me.. hell, you could use the at scheduler to do that if you had old NT 4.0 machines...

what a bunch of slackers...
 
SV2 said:
what you can't schedule a task to pull new definitions daily?? seems simple to me.. hell, you could use the at scheduler to do that if you had old NT 4.0 machines...

what a bunch of slackers...
Click to expand...

You really are brilliant - thanks.

We have them setup to pull down the updates there twinkie - but the updates are useless if they don't have the newest information - we are at the mercy of how good the updates are.

If the updates don't have the new stuff, then we can't block it.

Which is what I said in the first place.
 
300,000 + Workstations of various flavors
10's of thousands of Servers mostly 2000 but also various flavors
Hundreds of border routers and several dozen firewall connections.
Conections to 15 countries all with their own firewalls
I can't tell you how many apps going thru these connections
All needing to be patched in a matter of hours.
And lets not talk about updating workstation Dat files for that many machines, scheduled or not in hours.

Yea, We scan very similar to Martha and probably even more.
But much like the United States, we must have openings to DOD, US Govmt and Commercial networks and apps that leave us vulnerable no matter what we do.
We also have autonomous corprorate business units that want to do IT their own way that also leaves us open.

We had maybe 2 4-6 hour windows this week where we saw an influx and shut things off, fixed the leaks and opened things back up again.

Most of our problems are end users not sure what they need to do, installing stuff and causing themselves more issues than not doing anything at all
 
SV2 said:
what you can't schedule a task to pull new definitions daily?? seems simple to me.. hell, you could use the at scheduler to do that if you had old NT 4.0 machines...

what a bunch of slackers...
Click to expand...

Most real solutions pull new definitions every day anyway, dick-spackle.

It doesn't do much good since worms can spread through the internet within minutes.

Has anyone ever compared your mouth to your urethra?
 
We got hit last week, Mon & Tues...

We did really well, only a handful of pc's were infected in our offices, the field VPN users weren't as lucky..

We've got a lot of field testers who have pc's supplied by their home countries and they didnt have the most recent patches/updates.

It made for a busy day but nothing too bad. What's great is when there is a "big" problem going on, you don't have to deal with the small crap.
 
Code said:


Interesting you mention customer service. My motto for my IT dept is "It *is* customer service" I make 'em do follow-up on issues and actually be nice instead of surly and righteous.
Click to expand...

sounds like "do as I say, not as I do"

Code, sometimes your remarks remind me of the SNL skit about Nick the Company Computer Guy.
 
Dawookie said:


sounds like "do as I say, not as I do"

Code, sometimes your remarks remind me of the SNL skit about Nick the Company Computer Guy.
Click to expand...

I don't provide IT help to users of the board cock-bubble.
 
Dawookie said:


no, but you've got the surly and righteous part down..

cock-bubble, dick-spackle.. lol
Click to expand...

I prefer to think of it as more curmudgeonly than surly.
 
Well, my network has never been hit with a worm or a virus in 2 and half years.. guess Im doing something right.. and Im not even trained...

You can hire me for the right price..
 
SV2 said:
Well, my network has never been hit with a worm or a virus in 2 and half years.. guess Im doing something right.. and Im not even trained...

You can hire me for the right price..
Click to expand...

You wouldn't know a TCP stack from a short stack.

Get off this thread you post whoring cunt-lipped 'tard.
 
Well, I do know the TCP stack, so you are wrong there, but with out taking a single IT class, I have set up and configured a fire wall that has kept every virus/worm/trojan that has come down the internet pipe in the last two years off my network.. LOL, it's very simple.. any one who fucks up is a moron, most IT people are not that smart.. it's a myth to think IT are sharp, all they have to do is follow directions.
 
SV2 said:
Well, I do know the TCP stack, so you are wrong there, but with out taking a single IT class, I have set up and configured a fire wall that has kept every virus/worm/trojan that has come down the internet pipe in the last two years off my network.. LOL, it's very simple.. any one who fucks up is a moron, most IT people are not that smart.. it's a myth to think IT are sharp, all they have to do is follow directions.
Click to expand...

You can tell me the destination and source on the following TCP packet then?

0000 00 10 db 07 24 90 00 0b db 17 f3 15 08 00 45 00
0010 00 30 4a 0c 40 00 80 06 a5 fd ac 10 9d 04 c0 a8
0020 01 01 11 36 00 50 79 d3 59 1c 00 00 00 00 70 02
0030 40 00 53 eb 00 00 02 04 05 b4 01 01 04 02
 
doesnt matter, I have an open connection to the net, nothing gets past it.

I have an email server, web server, 18 desktops, a print server, firewall.. one domain..

I spend on average 2 hours a week doing that job..

At the end of the day, you have the internet, and you have your lan... the only thing in between the two is your firewall. manage it right and you dont get fucked, mismanage it and welcome to virus city.. glad I've never been to virus city..

do your job
 
SV2 said:
doesnt matter, I have an open connection to the net, nothing gets past it.

I have an email server, web server, 18 desktops, a print server, firewall.. one domain..

I spend on average 2 hours a week doing that job..

At the end of the day, you have the internet, and you have your lan... the only thing in between the two is your firewall. manage it right and you dont get fucked, mismanage it and welcome to virus city.. glad I've never been to virus city..

do your job
Click to expand...

Exactly, nuff said. Now get off the thread ya little shit-stain.
 
SV2 said:
doesnt matter, I have an open connection to the net, nothing gets past it.

I have an email server, web server, 18 desktops, a print server, firewall.. one domain..

I spend on average 2 hours a week doing that job..

At the end of the day, you have the internet, and you have your lan... the only thing in between the two is your firewall. manage it right and you dont get fucked, mismanage it and welcome to virus city.. glad I've never been to virus city..

do your job
Click to expand...

Nothing personal, but I know people who have more than that in their houses.

This wouldn't exactly define and "enterprise" network.

More like a small workgroup.
 
SV2 said:
doesnt matter, I have an open connection to the net, nothing gets past it.

I have an email server, web server, 18 desktops, a print server, firewall.. one domain..

I spend on average 2 hours a week doing that job..

At the end of the day, you have the internet, and you have your lan... the only thing in between the two is your firewall. manage it right and you dont get fucked, mismanage it and welcome to virus city.. glad I've never been to virus city..

do your job
Click to expand...

Learn a new word holmes..
.
scale
 
yup.. but we are all hooked up to the same pipe... I could have 10 thousand clients doesnt make a difference, my firewall and everything else behind it is tight...
 
1) code - an IP header or a TCP header? And do you want source/destination port or address? The format there looks sparse, so I'm assuming it is a TCP header (part of it), which would then have the source and destination ports within there - but I don't think that is enough data for the IP header - but it sounded like you wanted an address resolution - it has been awhile, but I thought you would need the IP header for that.
Like I said, it has been awhile.

2) I like how SV2 gave the ol' "doesn't matter" - I like that. Use that one in an interview after you have just announced that you do in fact know the TCP/IP stack.

I've been running around all day upgrading systems to WinXP. Fun stuff.

And SV2, careful of your ego and bravado, those things are more fragile than you know and when you finally do get that virus, trogan, or worm... well - we are going to make fun of you non-stop.

That said, I'm glad you are working, and I'm glad you have a small network. I too have a small network - but I'm less cocky about it than you nimblenuts since I have worked with much larger systems and am aware of how lucky I am to have it this easy.
 
Latest bad news unrelated to virii , how poor of Sys Admins our orp has or how smart SV2 is...

The first of the local ISP broadband providers is shutting down their VPN access stating that their service is for HOME users only.
Luckily it is a small company Comcast...
 
Okay, just got back from installing more software on a machine.

I'll have another quick go at Code's packet there - I'm the first to say I'm rusty at this, but I will treat it the way I think I should and see how that goes (it doesn't look quite right, but a lot of the stuff matches up, so I'll just chalk that up to my rusty memory).

Alrighty, chop off the field indicators.

Then take the first 14 bytes and the last two for the ethernet header.

Leaves us a chunk starting at 45, which means that it is IPv4, and then the 5 means that is the length of the IP header in 32bit words.
So 20 bytes.

So the next 20 bytes is the IP header... then looking at the last 8 bytes there should give us the source and dest IPs....
Source: 172.16.157.4
Dest: 192.168.1.1

Then going on with the TCP header to get the source/dest ports (the first 4 bytes):
Source port: 1754
Destination port: 80

192.168.1.1 is part of the reserved IP address set, which you likely see inside networks where the machines are firewalled and you can't directly access them.

Port 80 usually being HTTP (Web) access.

1754 usually being an Oracle port.
 
MarthaStewart said:
Okay, just got back from installing more software on a machine.

I'll have another quick go at Code's packet there - I'm the first to say I'm rusty at this, but I will treat it the way I think I should and see how that goes (it doesn't look quite right, but a lot of the stuff matches up, so I'll just chalk that up to my rusty memory).

Alrighty, chop off the field indicators.

Then take the first 14 bytes and the last two for the ethernet header.

Leaves us a chunk starting at 45, which means that it is IPv4, and then the 5 means that is the length of the IP header in 32bit words.
So 20 bytes.

So the next 20 bytes is the IP header... then looking at the last 8 bytes there should give us the source and dest IPs....
Source: 172.16.157.4
Dest: 192.168.1.1

Then going on with the TCP header to get the source/dest ports (the first 4 bytes):
Source port: 1754
Destination port: 80

192.168.1.1 is part of the reserved IP address set, which you likely see inside networks where the machines are firewalled and you can't directly access them.

Port 80 usually being HTTP (Web) access.

1754 usually being an Oracle port.
Click to expand...

Good job man.
 
You must log in or register to reply here.

Similar threads

UGL OZ
Platinum Supplier [UGL OZ] Back In Stock: Mast E, Mast P, Rip Blend
Replies
7
Views
1K
abolone
abolone
yankeedoodle
Approved Log Testosterone Equipoise Trenbolone NPP HGH Anavar Anadrol Return Log
Replies
33
Views
3K
ballin2504
ballin2504
Liquid Gold Labs
  • Sticky
Silver Supplier 💎 Liquid Gold Labs Updates + Announcements 💎
Replies
14
Views
3K
Liquid Gold Labs Rep
Liquid Gold Labs Rep
Macedog24
PuritySourceLabs TRT Blend (Test/Mast 200/200) 💉🩸"WE WILL PAY FOR YOUR BLOOD WORK"💉🩸
Replies
12
Views
2K
Noah Wixx
Noah Wixx
~Vision~
PSL Sale The original inventors of the TRT blend - We did it first "TRT 200/200" 400
Replies
19
Views
2K
MUSTANG_18
MUSTANG_18
Top Bottom